[c-nsp] ICMP Filtering on firewall

[Joel M Snyder]

 > We are filtering and rate limiting icmp traffic on our border router 
to let
 > in&out:
 >
 > Echo
 > Echo-reply
 > Unreachable
 > Time-exceeded
 >
 > What about icmp to our firewall's interfaces?
 >
 > Shouldn't I allow the firewall to respond to or send those icmp 
messages as
 > well?
 >
 > What would be the best current practices regarding ICMP traffic ti
 > firewalls' interfaces?

In general, no one should be talking TO your firewall (although if you 
are doing NAT with the external interface of the firewall, this is a 
whole different story) but you.  Paranoid types like their firewalls to 
operate in stealth mode; these are the guys who don't debug problems 
very much.
Rational security folks will allow PING (icmp echo/reply) and Traceroute 
(TTL exceeded) error responses.

However, it really is the firewall's job to decide what packets it's 
going to send back; that's part of the firewall policy.  If you are 
"protecting" your firewall with your border router, it's a sign that you 
may have configured your firewall incorrectly in the first place.  Or, 
if you don't trust your firewall to handle its external interface, you 
really need to find a firewall you can trust.

Generally, the 'best practice' is to do a first cleaning pass on the 
border router for things like spoofed IPs and "noisy" attacks (Slammer 
is the most obvious), but otherwise let the firewall's policy determine 
what it can/should/will receive and send from the Internet.  Some folks 
also protect the control plane (i.e., block 22/23/80/443) on the 
external address of the firewall, but this shouldn't be strictly 
necessary if the firewall is properly configured.

jms

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms